Posted
by
Soulskillon Friday June 18, 2010 @05:31PM
from the way-to-commandeer-taco dept.

rtfa-troll writes "Beef Taco is a Firefox extension that allows a mass opt-out from tracking and targeted advertising by many ad networks. The Register reports that the original system, TACO, has become proprietary, and has added new 'features' best described as bloatware. I guess this should serve as a warning for users to always prefer software under a copyleft license where possible. If Google had chosen a license with better protection, such as the GPL, when it released its own opt-out tool, this problem would have been much less likely. This also shows why forks are so important when software development begins to get messy."

Google released theirs with the Apache 2.0 license. Someone else took that, re-wrote (apparently significant) portions and released it with a different name. THAT PERSON then sold it to a company, who then decided to bundle a bunch of for-pay stuff with it. People didn't like it, and forked the previous version.

Exactly HOW would the GPL have been better? There's still a fork of the last "good" version, which you can use if you like.

As said by others, this would force the proprietary version to be released under the GPL.

Now, about how much better that is, it would allow you get the newest version and strip off any bloatware. Instead of just forking, you could maintain kind of a parallel fork, stripping each new release, or incorporate useful enhancements in Beef TACO.

The GPL community not only wants their community to grow but it wants others to shrink. Otherwise, this wouldn't be an issue at all. What difference does it make to GPL advocates what happens to non-GPL projects? The answer is simple and revealing.

The GPL community not only wants their community to grow but it wants others to shrink. Otherwise, this wouldn't be an issue at all. What difference does it make to GPL advocates what happens to non-GPL projects? The answer is simple and revealing.

The community isn't a solid block of harmony wherein all members share the exact same opinion of non-GPL projects. Still, assuming you are 100% correct in all cases, I have no problem with that either. Why? Because they are doing it the right way, through persuasion and voluntary cooperation and not through coercion or force. Each owner of each project can decide how their code will be licensed. The GPL community is not going to send goons to intimidate them into eschewing proprietary licenses. They m

+1 informative. NOW I understand the advice not to contribute unless it's GPL copyleft. It protects your volunteer work.

Exactly right; lots of of the anti-GPL FUD spread around has it's origin in people, like Microsoft, who don't want you having their work, but feel they have the right to steal yours. There's another group which is specifically doing the free stuff now with the hope of getting people addicted and then doing a bait and switch later (look for FreeBSD developers who switched over to Apple e.g. or Nessus which was under the GPL but with one primary copyright owner who could just change the license). The MIT /

Obviously it doesn't apply in this case, as it's non-GPL, and it's a fork of another tool, but if TACO were originally written as a GPL program, not a fork of some other tool, and rights to all code submitted stayed with the TACO development team (or external contributions weren't accepted, or weren't made in the first place,) it's possible that when the development team was bought out, they'd have the right to release future versions under a non-GPL license. Look at what happened with XFree86.

I'll field this answer. There is more to it than what a commercial/proprietary interest will not be able to "take" from the community. There is also the moral, ethical and even emotional/spiritual aspects of F/OSS that need to be guarded. I don't use "spiritual" in the religious or supernatural sense either. I mean the "spirit of" meaning sense of the expression. When some people are working to build something and then some jackass comes along and uses it to make his fortune, it really takes the community spirit out of a project. It is rather like "RebelEFI" versus EmpireEFI. EmpireEFI is a nice project. RebelEFI has tainted it with their motives and their generally deceptive and selfish nature.

So while it is true that the community still has the untainted version(s) available to them, there is still some ugliness that really tends to sap the positive energy out of a project when commercial proprietary for-profit people come along to do selfish things with it. And I don't expect you or anyone else to fully understand it. If you do understand what I am saying, then you probably already agree with me -- so I'm not changing anyone's mind or giving anyone something new to think about by stating any of this. But by seeing and acknowledging this view point and rejecting it for whatever reason, you have to be honest with yourself about who you are inside and what drives and instincts you more closely identify with. If you disagree with the perspective I have expressed, then you are quite likely from the other camp who essentially believes it is okay to use the work of others for your personal gain.

So in short, part of the benefit of the GPL to to preserve the spirit of open source as well as the software itself.

"There is more to it than what a commercial/proprietary interest will not be able to "take" from the community. There is also the moral, ethical and even emotional/spiritual aspects of F/OSS that need to be guarded."

But they didn't "take" from the community, the community gave it to them. It was moral, ethical, and emotional/spiritual as well as all the other BS words you can think to throw into it.

It's curious that GPL advocates care so much about the desires of the original developers except when those d

If you make a work based on a GPL work, even if you "rewrote" parts of it, it is still non-literal copying of the work, if the structure of the program is based on the GPL program, which is copyright infringement (unless you obey the GPL license, and distribute the rewritten non-literal copied work under GPL terms.)

Once all the GPL code is removed, what is left of the "structure" that is still GPL? Who could possibly say that the program was based on a "GPL work" at that point (if it ever was)? You can't copyright knowledge or ideas.

To get a local copy of the source just contact us at support@getabine.com

This is even less than Microsoft shared source. If I was basing something, for example a security audit, on this offer I'd want to know that someone independent had actually downloaded the source and verified that they could build the end module.

And funny thing is, the GPL allow a written offer to physically distribute the source code to qualify as compliance. In fact, it is required if the object code is distributed physically too, as for example GPL code inside a flash ROM inside a physical device. (Yep, exactly what you think it is.)

Maybe you've heard of Joomla! ?
http://en.wikipedia.org/wiki/Joomla [wikipedia.org]
which was basically my point. Today, if you think "Free CMS" you'll probably think "Joomla!" long before you think of Mambo, who mishandled the open-sourciness of an open/closed joint project.

Someone else took that, re-wrote (apparently significant) portions and released it with a different name. THAT PERSON then sold it to a company, who then decided to bundle a bunch of for-pay stuff with it.

Had this been GPL, the person who rewrote significant portions of the software would have to have released his derivative works as GPL. He could have sold his portion of the software under any license, but the work as a whole would have to be GPL. The company that bought the rights to the software would have to remove any GPL portion, or release the entire thing (including proprietary addons) under GPL.

But you're also making the assumption that if the code was under the GPL would he have bothered to rewrite it since the sales value would have been near zero. There's no guarantee there'd be more open code using the GPL, there'd possibly be one less proprietary competitor but the Google explicitly released it under a license that permits it and I doubt they're so incompetent they didn't know it. If Google don't like it then it's their own mistake and they'll choose a better license next time. If they don't care, then this is just someone in the open source community being butthurt over code they didn't get the same way the MAFIAA is over a sale they didn't make.

That's pretty much my point. Why would someone say that Google using the GPL would have avoided the issue? It was an open project that got forked when one party did something others didn't like. With or without the GPL, there'd be a fork if someone added that much extra stuff to what was a very lightweight and fast addon, and there was, no GPL needed.

If the original author re-wrote substantial portions which allowed change of license from the Apache license and then licensed it under the GPL, the sold their rights and copyright to a new buyer, the new buyer has full rights to take future versions closed source provided no other open source code was utilized or a compatible license (BSD) was covering the source code included within the whole of the source.

Had this been GPL, the person who rewrote significant portions of the software would have to have released his derivative works as GPL. He could have sold his portion of the software under any license, but the work as a whole would have to be GPL. The company that bought the rights to the software would have to remove any GPL portion, or release the entire thing (including proprietary addons) under GPL.

Not at all. The Firefox extension could have been under GPL in its entireity, including the part that ru

Or he may have rewritten a little more to remove the GPL entirely or he might have not done the project at all. The GPL doesn't promise that future projects will exist. That seems to be hard for for GPL fanboys to understand.

Oddly enough, the author used existing open source to contribute to a new project in compliance with and in the spirit of the license for that source, yet people complain because THEY can't have the new source despite having contributed to none of it. The GPL wouldn't have promised t

Exactly HOW would the GPL have been better? There's still a fork of the last "good" version, which you can use if you like.

The company would have to release the source code (because it would have been a derivative of a GPL software), so their users would know exactly what was added. Then, they could make an educated decision whether to upgrade and continue using the product, or find an alternative/fork. Some would qualify this as "better."

GPL software also forks all the time. It's not a big deal. The only argument on the GPL side seems the old dubious "proprietary is evil" one.

The original software did not become proprietary anyway. If it did it would be impossible to fork it legally. Instead, someone added some proprietary chunks to open source software; the original software did not become proprietary and no one lost any rights anywhere regarding this software.

OK, that's pretty much my understanding as well. GPL or not, there most likely would have been a fork anyway at this point when it got so much un-wanted stuff added to it, so Google using GPL instead of the Apache 2.0 license wouldn't have avoided anything.

Exactly HOW would the GPL have been better? There's still a fork of the last "good" version, which you can use if you like.

There is always a balance when choosing a license. The main advantage (IMHO) with choosing the GPL over something like the Apachelicense is that you don't have to compete against proprietary versions that are based on the code you wrote. As an author this is asignificant consideration for me. If I am the primary author, it would suck to have features from my free version used with impunitywhen I am unable to use features from the proprietary version. It gives the proprietary version an unfair advantage (unfair in that asthe primary author I can't enjoy the same privileges).

However, there are lots of reasons to choose non-copyleft licenses for work. Sometimes the benefit you receive from extendedexposure outweighs the disadvantage of unfair competition. Given that Google was the primary author and *they* aren't complaining,I have to agree with you that there doesn't seem to be a problem. If they got what they want, then it is all good. However, I canunderstand if the authors of the forked version want to use the GPL to avoid having to unfairly compete against the proprietaryversion.

The TACO guys did it wrong. First, they changed what the add-on fundamentally did. Second, they slapped their company name all over the thing. Third, they displayed a pop-up after the update. Fourth, they loaded a web page after the update. Fifth, that web page was loaded with lots of "selling" language but no substance.

They triggered every single warning about malware I have in my brain. I didn't even bother to look into what it was they were trying to sell. I uninstalled the add-on immediately.

I'd say this is example #1 in the upcoming book, How Not To Commercialize A Firefox Add-on.

It can feel frustrating when something you are using goes from free to commercial. You often get the "sold out" feeling.

But there's also a different perspective:

If someone makes something, and loves working on it, why wouldn't he want to try to be able to work in it full-time? But to do so, he needs income. He needs to survive. I suppose he could ask for donations, but that might not be a viable option.

It can be frustrating for the rest of us, but personally, I understand it if someone would want to w

It can feel frustrating when something you are using goes from free to commercial. You often get the "sold out" feeling.

I love when something free goes commercial. Red Hat is one of my favourite companies. What annoys me is when something "Free" goes proprietary. These are are two very different things. For such a license change Mozilla should be insisting on a change of name so that people who don't want the change still have their computer free of that stuff.

Just last week I got a notice to "upgrade" TACO to 3.0 and foolishly did so. A tiny little 8KB add-on became a 3MB disaster. Now it has new features which clash with other add ons or were redundant for me. Music streaming was broken for some sites and best of all, the old version, while available (and compatible), will no longer install on Firefox 3.6.

After uninstalling it, I downloaded the source for 2.0 and was planning attempt a fix, but now I don't have to. Obviously someone else was just as irritated, to that individual I say, "Thank you."

This way, they can sell the data on and still stick to their 'privacy policy':
"Our Abine browser add-on uses hashes of unique identifiers that are not tied to you or your IP address, to help you track versions and updates for the add-on, and a different set of randomly generated identifiers to validate service requests such as creating or updating disposable email addresses. If you chose to provide more data in order to take advantage of additional services, such as webmail, add-on identifiers are never used in a way that ties it to your name or personal information to the best of our ability."
Also, Eric Jung is on their 'Advisory board':
http://abine.com/team.php [abine.com]
If you don't know who he is, he is a board member of Mozilla Add-Ons governing board. This 'update' has made a mockery of the update mechanism in Firefox and severely undermines it in my view. Here's a link to the support board over at Abine, where I have been voicing my disapproval and I recommend you do the same:
https://www.getabine.com/phpBB3/viewtopic.php?f=4&t=7&start=10#p37 [getabine.com]

It gets worse, check this page out:
http://forums.passwordmaker.org/index.php/topic,1654.0.html [passwordmaker.org]
Surely it's a massive conflict of interest for Eric Jung to be a board member of the Mozilla Add-ons governing board and to be actively working on an Add-on, especially one like this?

Also, Eric Jung is on their 'Advisory board':
http://abine.com/team.php [abine.com]
If you don't know who he is, he is a board member of Mozilla Add-Ons governing board.

Wrong. Eric Jung is on the board of Mozdev [mozdev.org], and independent organization dedicated to hosting Mozilla-related projects (like a specialized Sourceforge). He is not part of the Mozilla Add-ons team.

I'm in charge of the add-on review process at Mozilla, and I personally reviewed and approved the TACO update due to its complexity. I have no relationship with Abine whatsoever.

Then why does it say that on the Abine site. I'm sorry, but you should be ashamed to let this past you. It went from 8K to 3MB, that is not a simple update and I fear this is breeding a lot of mistrust in the Firefox update mechanism. How are you going to regain users trust after this?

The update was approved because it passes all our quality checks. It is not up to us to determine what features a developer can include or not, and it is not a new thing for an add-on to change hands like this. It is up to the developers (new or otherwise) to give their users what they want. If they screw up, they will lose their users. Our job is to make sure the add-on is safe to use and it does what it claims it does. The new TACO has a ton of new features, most disabled by default, but its core functionality remains.

Most users are complaining about the package size and the new user interface, which are things that won't get the add-on rejected unless they make it unusable, and that it not the case for TACO. I see nothing to be ashamed about.

The problem was, this wasn't an update, it was a total rewrite. Therefore I feel you were wrong to let this be allowed to downloaded via updating TACO 2.0. This should have been treated as an entirely seperate Add-on and it was very deceptive for it to be included in the TACO 2.0 update.
Maybe it's time to have rules that state if the Add-ons original function, codebase or license changes radically then it shouldn't be allowed to update via the Firefox update mechanism?

We have an unexpected features policy, also called No Surprises [mozilla.org]. We wouldn't have allowed the update if it enabled unexpected features for users, or if it had really changed its core functionality. But it didn't. It added several features, but they are also privacy and security tools, and they're turned off by default.

I don't agree that we should warn about codebase changes, since that's the developer's prerogative, but I do agree that we should communicate privacy policy or EULA changes. That's something that we can't do through Firefox at the moment, but we definitely want to include in the future.

We have an unexpected features policy, also called No Surprises [mozilla.org]. We wouldn't have allowed the update if it enabled unexpected features for users, or if it had really changed its core functionality. But it didn't. It added several features, but they are also privacy and security tools, and they're turned off by default.

So, in your opinion, a change that makes an add-on with no interface that just works out of the box with no interface elements at all into an add-on that adds multiple interface elements, pop-ups on pretty much every page (as almost every nominally popular site nowadays uses cookies in one form or another), and begins by flashing an introduction menu that contains among other things advertisement for "premium service"...

Is not a change that changes core functionality?

I mean really. One can split hairs and claim that it's "an add-on that generally protects your privacy by opting out of...", but in my, and apparently pretty much everyone's opinion, the sudden appearance of "features" like interface, pop-ups etc is a very, very serious change to core functionality. Which was from end-users point of view to STFU and just opt us out.The worst part is, this approval essentially dropped my trust towards Mozilla's auto-update function and add-on review process from full one hundred to zero. Because trust is hard earned (and mind you, you earned it with your hard work so far), and lost over one major failure. And allowing a hijack like this to be piggy backed as an "update" is a pretty damn major breach of trust. Whether you like it or not, this raises a question if the next update that you will decide that change is "minor" will get our UI painted full of targeted ads, which apparently will pass your check just as well so long as ads are relevant to core functionality of an add-on?

For the next time: if an add-on that previously required no user action other then installation and didn't do anything to tell user about itself starts using flashy pop-ups to advertise itself, adds elements to UI and gets a flashy configuration window with advertisements for its host company, it's a change of core functionality for end user. Even if developer in you feels it's a "small upgrade", for end user it will be a major change and in this case, a game breaking one.

What I've been trying to communicate here is that it is not our job to judge if an add-on is pretty or ugly, lightweight or bloated, subtle or in-your-face. Our job is to attest for its security, privacy protection, usefulness and ease of use. We reject add-ons that are impossible to figure out, have overly intrusive UI, or are annoying to users. The previous TACO did have some UI, little as it was, and the new one can be configured to be like that.

I know the new TACO is annoying to many, but I'm sure many others think otherwise. It's obvious that many TACO users like the minimalist interface it used to have, and are angered by the change, but that's something that the users need to judge, not us. There's already an alternative available if you want to switch.

And yes, when we say "core functionality", in this case it would mean warning about cookies and other trackers, and providing the means to block them.

FWIW, the people at Abine are well aware of the reception of this upgrade, and are already working on improving it.

Extensions by their nature have most of their source code in the open. You can easily read it, but not copy it of course. There's a part of this extension that is compiled code and you won't be able to read, though. Senior reviewers do get access to the compiled component source code in order to review.

What I've been trying to communicate here is that it is not our job to judge if an add-on is pretty or ugly, lightweight or bloated, subtle or in-your-face.

Except that it is. The very name of the policy, "No Suprises" clearly shows intent to prevent massive change from subtle to in-your-face, as you put it.

The problem that we have reading your replies is that you chose to go with utterly classic response that corrupt officials and companies go with when they get caught. They proceed to find a small ambiguous technicality in the letter of the policy, while murdering the entire spirit of the said policy in progress, smiling in and proclaiming their complete innocence and blaming the policy. The entire wording of the name of the policy clearly suggests that you are there to weed out "subtle to in-your-face" changes. Yet because of technicality in the policy that you as a mod can use every time you want, it actually means absolutely nothing. Nothing in it actually stops you as a moderator from, for example, paying back a "monetary favor" by allowing a company that purchased a known add-on from making it a targeted advertisement add-on, full with annoying pop-ups, as long as it mainly does what it did before. Even if doing it is a small fraction of the new version and bulk is focused around selling unwanted crap, and in fact flies in the face of everything the previous versions of add-on stood for.

I'm sorry, but this stinks. In a major way. It essentially means that the moment someone finds a morally weak spot in the mod chain, millions of end users can be literally fucked over with no recourse whatsoever.And it's the lack of recourse that's most bothersome. There isn't even a way to properly complain about a clear breach of trust issue, because it still adheres to letter of the policy, even if spirit of it is murdered in the process, at least according to you.

I think AC below put it best:

The Changing of Defaults and Unexpected Features [mozilla.org] add-ons policy appears to address what an add-on does when it's first installed. It doesn't adequately address notifications of changes pushed in updates to add-on functionality.

Essentially there's a nice and functional loophole in the policy that allows anyone with sufficient interest in the issue to circumvent the policy entirely by publishing new add-on as a continuation of a popular existing one and making sure that mod happens to be someone he knows well enough and owes a favor, or is sufficiently naive to imagine that this isn't a "surprising change". This in spite of add-on update policy naming scheme that clearly shows that it was its intent to do the same as policy on what review happens when add-on is first installed.

I know it's very hard for some people to understand that not all commercial companies are out there to get them, with evil plots to steal their identity and money. You must think that Abine is this all-powerful corporation that bribes all editors and is scheming to take all innocent, OSS-loving TACO users and screw them over. Well, I'm sorry to disappoint you. If you think this update is harmful to the general public (and I would disagree), then that's a problem with our policies, and ultimately my problem.

I was replying to somebody who was questioning my work ethics. I'm sorry if the response was harsh. I also agree that Abine could've handled things much better, but that doesn't mean that they broke our rules. Whether we should change our rules about this is a matter of debate, and we'll surely be talking about it these days.

Thanks for that; now I understand your policy clearly; that you insisted on the features being switched off and that you would have liked to warn about the license, I'm much happier about the Mozilla update process than I was. Is there any bug related to the lack of license change notification that we can vote for??

The Changing of Defaults and Unexpected Features [mozilla.org] add-ons policy appears to address what an add-on does when it's first installed. It doesn't adequately address notifications of changes pushed in updates to add-on functionality.

My problem with this, and the reason why I'm willing to accept the policy as it stands is that I'm constantly surprised by the new features in NoScript [noscript.net]. However this is in a good way. I find it solving problems I had never even realised I had and that, once I know about them I realise I wanted them solved. Adding features is a good thing. It's very difficult to write a policy which says which features should be allowed and which not. The easiest way is to make sure that those that might have a privacy

jorgevillalobos (1044924): I'm in charge of the add-on review process at Mozilla, and I personally reviewed and approved the TACO update due to its complexity....I see nothing to be ashamed about.

That's a problem. And thanks for warning us that you're in-charge. This TACO "upgrade" in your face commercialization was a HUGE surprise. If you don't understand what "No Surprises" means... That's a problem. Now unfortunately, because someone like you is in-charge, automatic upgrades are off. 100% will now have to be reviewed before acceptance. You and your supposed function have now become untrusted and thus irrelevant. Although, if you're incapable of understanding "No Surprises" I doubt you compre

http://www.getabine.com/team.php [getabine.com]
Jules Polonetsky - Co chair of Future of Privacy Forum, which coincidently enough was funded by AT&T. No conflict of interest there. Chief Privacy Officer at DoubleClick, you know, the people who sell lots and lots of adverts on the internet? Seems strange that he would be interested in something that was designed to stop that?
Jim Jorgensen - CEO of AllAdvantage, you probably won't remember the name but you probably remember them as the company that tried to pioneer 'Paid to Surf' by bombarding users with adverts. Again, why would he be interested in something designed to thwart that? Why are these people interested in a company that seems to have no others means of making money apart from charging $50 to take down a youtube video?
http://www.getabine.com/deleteme/request.php?item=youtube [getabine.com]
This company stinks, I'll continue digging because I'm sure there's more

Not sure what you're saying is not a problem - the change to TACO or the forked Beef TACO. If you're talking about the changes to the original, I sort of agree with you. I can understand people being upset over the size expansion, particularly if it slows down Firefox or significantly increases its memory footprint, but is there any real problem with the changes that makes this some sort of malware? So far as I can tell, there's no malicious activity associated with the update. It's just big and bloated